0
0
mirror of https://github.com/phpv8/v8js.git synced 2025-01-21 20:41:51 +00:00

v8js_object_export: add size checks + precission down casts

This commit is contained in:
Stefan Siegl 2017-03-10 23:49:18 +01:00
parent 7625d9b94f
commit db7c81d4fa

View File

@ -2,7 +2,7 @@
+----------------------------------------------------------------------+ +----------------------------------------------------------------------+
| PHP Version 5 | | PHP Version 5 |
+----------------------------------------------------------------------+ +----------------------------------------------------------------------+
| Copyright (c) 1997-2016 The PHP Group | | Copyright (c) 1997-2017 The PHP Group |
+----------------------------------------------------------------------+ +----------------------------------------------------------------------+
| http://www.opensource.org/licenses/mit-license.php MIT License | | http://www.opensource.org/licenses/mit-license.php MIT License |
+----------------------------------------------------------------------+ +----------------------------------------------------------------------+
@ -18,6 +18,7 @@
#include "php_v8js_macros.h" #include "php_v8js_macros.h"
#include "v8js_array_access.h" #include "v8js_array_access.h"
#include "v8js_exceptions.h"
#include "v8js_generator_export.h" #include "v8js_generator_export.h"
#include "v8js_object_export.h" #include "v8js_object_export.h"
#include "v8js_v8object_class.h" #include "v8js_v8object_class.h"
@ -42,7 +43,7 @@ static void v8js_call_php_func(zend_object *object, zend_function *method_ptr, v
zval fname, retval; zval fname, retval;
unsigned int argc = info.Length(), min_num_args = 0, max_num_args = 0; unsigned int argc = info.Length(), min_num_args = 0, max_num_args = 0;
char *error; char *error;
int error_len; zend_ulong error_len;
unsigned int i; unsigned int i;
v8js_ctx *ctx = (v8js_ctx *) isolate->GetData(0); v8js_ctx *ctx = (v8js_ctx *) isolate->GetData(0);
@ -77,7 +78,14 @@ static void v8js_call_php_func(zend_object *object, zend_function *method_ptr, v
(argc < min_num_args ? min_num_args : max_num_args) == 1 ? "" : "s", (argc < min_num_args ? min_num_args : max_num_args) == 1 ? "" : "s",
argc); argc);
return_value = V8JS_THROW(isolate, TypeError, error, error_len); if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Generated error message length exceeds maximum supported length", 0);
}
else {
return_value = V8JS_THROW(isolate, TypeError, error, static_cast<int>(error_len));
}
if (object->ce == zend_ce_closure) { if (object->ce == zend_ce_closure) {
zend_string_release(method_ptr->internal_function.function_name); zend_string_release(method_ptr->internal_function.function_name);
efree(method_ptr); efree(method_ptr);
@ -100,7 +108,15 @@ static void v8js_call_php_func(zend_object *object, zend_function *method_ptr, v
} else { } else {
if (v8js_to_zval(info[i], &fci.params[i], ctx->flags, isolate TSRMLS_CC) == FAILURE) { if (v8js_to_zval(info[i], &fci.params[i], ctx->flags, isolate TSRMLS_CC) == FAILURE) {
error_len = spprintf(&error, 0, "converting parameter #%d passed to %s() failed", i + 1, method_ptr->common.function_name); error_len = spprintf(&error, 0, "converting parameter #%d passed to %s() failed", i + 1, method_ptr->common.function_name);
return_value = V8JS_THROW(isolate, Error, error, error_len);
if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Generated error message length exceeds maximum supported length", 0);
}
else {
return_value = V8JS_THROW(isolate, Error, error, static_cast<int>(error_len));
}
efree(error); efree(error);
goto failure; goto failure;
} }
@ -311,7 +327,7 @@ static void v8js_named_property_enumerator(const v8::PropertyCallbackInfo<v8::Ar
void *ptr; void *ptr;
HashTable *proptable; HashTable *proptable;
zend_string *key; zend_string *key;
ulong index; zend_ulong index;
zend_object *object = reinterpret_cast<zend_object *>(self->GetAlignedPointerFromInternalField(1)); zend_object *object = reinterpret_cast<zend_object *>(self->GetAlignedPointerFromInternalField(1));
ce = object->ce; ce = object->ce;
@ -340,11 +356,23 @@ static void v8js_named_property_enumerator(const v8::PropertyCallbackInfo<v8::Ar
IS_MAGIC_FUNC(ZEND_ISSET_FUNC_NAME)) { IS_MAGIC_FUNC(ZEND_ISSET_FUNC_NAME)) {
continue; continue;
} }
v8::Local<v8::String> method_name = V8JS_ZSTR(method_ptr->common.function_name);
v8::Local<v8::String> method_name;
// rename PHP special method names to JS equivalents. // rename PHP special method names to JS equivalents.
if (IS_MAGIC_FUNC(ZEND_TOSTRING_FUNC_NAME)) { if (IS_MAGIC_FUNC(ZEND_TOSTRING_FUNC_NAME)) {
method_name = V8JS_SYM("toString"); method_name = V8JS_SYM("toString");
} }
else {
if (ZSTR_LEN(method_ptr->common.function_name) > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Method name length exceeds maximum supported length", 0);
return;
}
method_name = V8JS_STRL(ZSTR_VAL(method_ptr->common.function_name), static_cast<int>(ZSTR_LEN(method_ptr->common.function_name)));
}
result->Set(result_len++, method_name); result->Set(result_len++, method_name);
} ZEND_HASH_FOREACH_END(); } ZEND_HASH_FOREACH_END();
@ -362,13 +390,20 @@ static void v8js_named_property_enumerator(const v8::PropertyCallbackInfo<v8::Ar
if(ZSTR_VAL(key)[0] == '\0') { if(ZSTR_VAL(key)[0] == '\0') {
continue; continue;
} }
if (ZSTR_LEN(key) + 1 > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Object key length exceeds maximum supported length", 0);
continue;
}
// prefix enumerated property names with '$' so they can be // prefix enumerated property names with '$' so they can be
// dereferenced unambiguously (ie, don't conflict with method // dereferenced unambiguously (ie, don't conflict with method
// names) // names)
char *prefixed = static_cast<char *>(emalloc(ZSTR_LEN(key) + 2)); char *prefixed = static_cast<char *>(emalloc(ZSTR_LEN(key) + 2));
prefixed[0] = '$'; prefixed[0] = '$';
strncpy(prefixed + 1, ZSTR_VAL(key), ZSTR_LEN(key) + 1); strncpy(prefixed + 1, ZSTR_VAL(key), ZSTR_LEN(key) + 1);
result->Set(result_len++, V8JS_STRL(prefixed, ZSTR_LEN(key) + 1)); result->Set(result_len++, V8JS_STRL(prefixed, static_cast<int>(ZSTR_LEN(key) + 1)));
efree(prefixed); efree(prefixed);
} else { } else {
// even numeric indices are enumerated as strings in JavaScript // even numeric indices are enumerated as strings in JavaScript
@ -425,10 +460,10 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
{ {
v8::Isolate *isolate = info.GetIsolate(); v8::Isolate *isolate = info.GetIsolate();
v8::Local<v8::Object> self = info.Holder(); v8::Local<v8::Object> self = info.Holder();
v8::Handle<v8::Value> return_value; v8::Handle<v8::Value> return_value = V8JS_NULL;
char *error; char *error;
int error_len; size_t error_len;
V8JS_TSRMLS_FETCH(); V8JS_TSRMLS_FETCH();
zend_class_entry *ce; zend_class_entry *ce;
@ -440,16 +475,33 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
error_len = spprintf(&error, 0, error_len = spprintf(&error, 0,
"%s::__call expects 2 parameters, %d given", "%s::__call expects 2 parameters, %d given",
ce->name, (int) info.Length()); ce->name, (int) info.Length());
return_value = V8JS_THROW(isolate, TypeError, error, error_len);
if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Generated error message length exceeds maximum supported length", 0);
}
else {
return_value = V8JS_THROW(isolate, TypeError, error, static_cast<int>(error_len));
}
efree(error); efree(error);
info.GetReturnValue().Set(return_value); info.GetReturnValue().Set(return_value);
return; return;
} }
if (!info[1]->IsArray()) { if (!info[1]->IsArray()) {
error_len = spprintf(&error, 0, error_len = spprintf(&error, 0,
"%s::__call expects 2nd parameter to be an array", "%s::__call expects 2nd parameter to be an array",
ce->name); ce->name);
return_value = V8JS_THROW(isolate, TypeError, error, error_len);
if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Generated error message length exceeds maximum supported length", 0);
}
else {
return_value = V8JS_THROW(isolate, TypeError, error, static_cast<int>(error_len));
}
efree(error); efree(error);
info.GetReturnValue().Set(return_value); info.GetReturnValue().Set(return_value);
return; return;
@ -462,7 +514,15 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
error_len = spprintf(&error, 0, error_len = spprintf(&error, 0,
"%s::__call expects fewer than a million arguments", "%s::__call expects fewer than a million arguments",
ce->name); ce->name);
return_value = V8JS_THROW(isolate, TypeError, error, error_len);
if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Generated error message length exceeds maximum supported length", 0);
}
else {
return_value = V8JS_THROW(isolate, TypeError, error, static_cast<int>(error_len));
}
efree(error); efree(error);
info.GetReturnValue().Set(return_value); info.GetReturnValue().Set(return_value);
return; return;
@ -484,7 +544,15 @@ static void v8js_fake_call_impl(const v8::FunctionCallbackInfo<v8::Value>& info)
error_len = spprintf(&error, 0, error_len = spprintf(&error, 0,
"%s::__call to %s method %s", ce->name, "%s::__call to %s method %s", ce->name,
(method_ptr == NULL) ? "undefined" : "non-public", method_name); (method_ptr == NULL) ? "undefined" : "non-public", method_name);
return_value = V8JS_THROW(isolate, TypeError, error, error_len);
if (error_len > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Generated error message length exceeds maximum supported length", 0);
}
else {
return_value = V8JS_THROW(isolate, TypeError, error, static_cast<int>(error_len));
}
efree(error); efree(error);
info.GetReturnValue().Set(return_value); info.GetReturnValue().Set(return_value);
return; return;
@ -759,7 +827,13 @@ static v8::Handle<v8::Object> v8js_wrap_object(v8::Isolate *isolate, zend_class_
/* No cached v8::FunctionTemplate available as of yet, create one. */ /* No cached v8::FunctionTemplate available as of yet, create one. */
new_tpl = v8::FunctionTemplate::New(isolate, 0); new_tpl = v8::FunctionTemplate::New(isolate, 0);
new_tpl->SetClassName(V8JS_ZSTR(ce->name)); if (ZSTR_LEN(ce->name) > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Class name length exceeds maximum supported length", 0);
return v8::Local<v8::Object>();
}
new_tpl->SetClassName(V8JS_STRL(ZSTR_VAL(ce->name), static_cast<int>(ZSTR_LEN(ce->name))));
new_tpl->InstanceTemplate()->SetInternalFieldCount(2); new_tpl->InstanceTemplate()->SetInternalFieldCount(2);
if (ce == zend_ce_closure) { if (ce == zend_ce_closure) {
@ -855,7 +929,7 @@ static v8::Handle<v8::Object> v8js_wrap_array_to_object(v8::Isolate *isolate, zv
{ {
int i; int i;
zend_string *key; zend_string *key;
ulong index; zend_ulong index;
v8js_ctx *ctx = (v8js_ctx *) isolate->GetData(0); v8js_ctx *ctx = (v8js_ctx *) isolate->GetData(0);
v8::Local<v8::FunctionTemplate> new_tpl; v8::Local<v8::FunctionTemplate> new_tpl;
@ -899,9 +973,23 @@ static v8::Handle<v8::Object> v8js_wrap_array_to_object(v8::Isolate *isolate, zv
} }
continue; continue;
} }
newobj->Set(V8JS_ZSTR(key), zval_to_v8js(data, isolate TSRMLS_CC));
if (ZSTR_LEN(key) > std::numeric_limits<int>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Object key length exceeds maximum supported length", 0);
continue;
}
newobj->Set(V8JS_STRL(ZSTR_VAL(key), static_cast<int>(ZSTR_LEN(key))),
zval_to_v8js(data, isolate));
} else { } else {
newobj->Set(index, zval_to_v8js(data, isolate TSRMLS_CC)); if (index > std::numeric_limits<uint32_t>::max()) {
zend_throw_exception(php_ce_v8js_exception,
"Array index exceeds maximum supported bound", 0);
continue;
}
newobj->Set(static_cast<uint32_t>(index), zval_to_v8js(data, isolate));
} }
if (tmp_ht) { if (tmp_ht) {